Restricting DNS

I've been using Gargoyle Router for years but decided to give OpenWRT a shot, which is the basis of Gargoyle anyway. What I've found is that OpenWRT + Luci is not too bad and seems to be a little faster than Gargoyle. There is one thing that I have not sorted out after a couple of days of research and trial and error is how to restrict the DNS OpenWRT uses to 195.46.39.39 or 195.46.39.40. I've made numerous changes but no luck, sites that should be blocked are not.

What's the best way to restrict the DNS to only the two above via Luci or via custom firewall rules?

Who would you like to restrict to those two servers? What OpenWrt uses for upstream servers and then provides to hosts on your LAN? What DHCP tells hosts on your LAN to use?

How are you "blocking" sites? Is there a specific package you're using for that?

  1. enter network, interface/WAN and disable "Use DNS servers advertised by peer" it will stop openwrt from utilizing ISP dns server. (do same in WAN6 if you have ipv6)
  2. enter network DHCP/DNS and change DNS forwardings to use 195.46.39.39 and 195.46.39.40

but I think you can affectingly do the same thing with adblock package or a pi-hole with right blocklists,

2 Likes

I'd like all devices on the lan to use 195.46.39.39 & 195.46.39.40 only. I've made all changes like unticking "Use DNS servers advertised by peer" under wan and wan6 but no luck.

ipconfig /all from my PC shows
DNS Servers
fd54:ff5d:34fa::1
195.46.39.39
195.46.39.40
fd54:ff5d:34fa::1

I think the fd54 address is ip6, yes? I don't really want to use IP6 but not sure how to turn it off. I tried once yesterday and the router stopped working and I had to do a reset to defaults.

Ideas?

Here's my settings:

It's nearly impossible to prevent hosts on your LAN from manually configuring to get DNS elsewhere.

Since OpenWrt will serve DNS for you to your LAN hosts, perhaps the easiest way to get your LAN hosts to use your preferred servers is to have your DHCP advertise your OpenWrt box as the DNS of choice (this is default, I believe). Then, short of manual configuration, they use whatever your OpenWrt box is using (@orangepizza showed how to configure this just above).

Rather than fighting IPv6, if you configure it properly to advertise your OpenWrt box as the DNS server for your LAN (again, I think it is by default), it should "just work".

Yes, fd54:ff5d:34fa::1 is an ULA IPv6 address -- its a private address space you and your boxes can use to communicate among themselves, that won't propagate over the open Internet. I'll bet that if you look at your IPv6 addresses in LuCI, or with ip -6 addr on the command line, you'll find that to be on your LAN interface. If so, it looks like OpenWrt is already advertising itself as the DNS server to use.

set router's upstream dns to IPs you want, then redirect all client's dns to your router
adblock package has an option for force local dns.
( opkg install luci-app-adblock )

Force Local DNS : Redirect all DNS queries from 'lan' zone to the local resolver, apply to udp and tcp protocol on ports 53, 853 and 5353.

this handles user device using different dns better, as DNS server list sent by DHCP is only a recommend and users always can set different dns manually.

1 Like

FWIW, Gargoyle had no problem forcing the DNS and preventing users setting their own (two clicks), though I don't know how exactly it was done in the back end. At any rate, I'm willing to trade 15% move bandwidth that I get with OpenWRT.

Blocking the ports is pretty easy with OpenWrt as well. Unfortunately, so is a client using DNS over HTTP-S, which looks just like valid web browsing.

Glad you’re enjoying OpenWrt.

1 Like